From b18727b257b0e49d7c7cfdaf085ef400ae85b29a Mon Sep 17 00:00:00 2001 From: Parfii-bot Date: Wed, 22 Apr 2026 01:01:56 +0800 Subject: [PATCH] =?UTF-8?q?feat(hooks):=20git-pre-commit-genesis=20?= =?UTF-8?q?=E2=80=94=20template=20for=20repo=20symlink=20into=20.git/hooks?= =?UTF-8?q?/pre-commit?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hooks/git-pre-commit-genesis.sh | 50 +++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100755 hooks/git-pre-commit-genesis.sh diff --git a/hooks/git-pre-commit-genesis.sh b/hooks/git-pre-commit-genesis.sh new file mode 100755 index 0000000..47350c1 --- /dev/null +++ b/hooks/git-pre-commit-genesis.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# Git pre-commit — block Genesis-IP term leaks before they reach the index. +# +# INSTALL (public-facing repos only): +# ln -sf $HOME/.claude/agents/hooks/git-pre-commit-genesis.sh .git/hooks/pre-commit +# +# BEHAVIOUR: +# - Resolves the `genesis-scan` binary under the KeiSeiKit install tree. +# - Runs `--staged --exit-on-hit` so the hook fails the commit on any hit. +# - Bypass with GENESIS_GUARD_BYPASS=1 (visible, per-call — logged in transcript). +# +# EXIT: +# 0 clean or bypassed +# 1 usage / binary missing +# 2 leak detected (commit blocked) + +set -eu + +SCANNER="${GENESIS_SCAN_BIN:-$HOME/.claude/agents/_primitives/_rust/target/release/genesis-scan}" + +if [ ! -x "$SCANNER" ]; then + # Absent scanner = silent no-op. Installs without the `core` or `full` + # profile won't have the binary; we prefer letting the commit through + # over noisy spam, since the runtime hook still catches new writes. + exit 0 +fi + +if "$SCANNER" --staged --format=human --exit-on-hit; then + exit 0 +fi + +# Non-zero exit from scanner = hits found. +if [ "${GENESIS_GUARD_BYPASS:-0}" = "1" ]; then + echo "" >&2 + echo "[genesis-scan] BYPASSED (GENESIS_GUARD_BYPASS=1). Hit logged above." >&2 + exit 0 +fi + +cat >&2 <